Theft of Apple UDIDs Mitigated by News the FBI Didn't Have Them

It's bad enough that 12 million Apple device identifiers have been stolen -- but it would have been worse if the first rumor surrounding the hack had been true: that they were stolen from the FBI. That would have suggested some unpleasant Big Brother activity might have been going on. What a relief to find out they were merely lifted from a third-party app developer with loose security practices.

The case of the stolen database of Apple device identifiers is getting more intriguing by the day, with an entirely new player -- an app development company called
"BlueToad"-- joining the cast of characters.

BlueToad execs told reporters that the Apple UDIDs were stolen from it in a cyberattack launched two weeks ago.

One week ago, hackers connected to
#AntiSec claimed to have stolen more than 12 million Apple UDIDs from the laptop of an agent with the Federal Bureau of Investigation. To prove the claim, they posted a million of the unique identifiers online.

"The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed," it said in a statement. "At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data."

The allegations against the FBI were of great interest because if it had been in possession of such data, it would have suggested the agency was using it to spy on American citizens.

BlueToad Takes the Heat

It appears that David Schuetz, a security consultant with Intrepidus Group
tracked the breach back to BlueToad and wrote about it in a blog post.

The details are not completely clear even to him, though. "Was BlueToad really the source of the breach?" Schuetz wondered. "How did the data get to the FBI (if it really did at all)? Or is it possible this is just a secondary breach, not even related to the UDID leak, and it was just a coincidence that I noticed? Finally, why haven't I noticed any of their applications in the (very few) lists of apps I've received?"

A BlueToad spokesperson was not immediately available to comment for this story. Apple did not respond to our request to comment for this story.

Spotlighting Mobile App Security Practices

Now the question has shifted to what BlueToad was doing with that information.

In fact, it is not surprising a developer would be collecting UDIDs for its work, Kyle Wiens,
iFixit cofounder and CEO, told MacNewsWorld.

BlueToad probably didn't have nefarious intent in collecting the data, "but they could have secured the information better," he said.

Apple is surely dismayed at BlueToad's actions, Wiens continued. "Prior to this incident, Apple changed their policies so that developers won't be allowed to collect device-specific information at this scale in the future."

It is not surprising that hackers targeted a mobile app developer, Peter Toren, an attorney with
Weisbrod Matteis & Copley, told MacNewsWorld. "Frankly, nothing in online security surprises me these days. Hackers seem to be two steps ahead of security of many companies, including developers."

'By the Book'

Part of BlueToad's public defense has been that it followed procedures "by the book."

That indeed may be the problem, Robert Siciliano, CEO of
IDTheftSecurity.com, told MacNewsWorld.

"Numerous hacks have occurred over the last decade where the victimized company was 'by the book,'" he said, "but generally that means they didn't think their data would be targeted in the first place, so they were minimally secured, providing their employees the conveniences of easy access opposed to maximum security, which is often cumbersome and expensive."

A Teachable Moment?

It would be easier to vilify -- or acquit -- BlueToad if it would release technical information about the breach -- but it hasn't, noted Alex Horan, senior product manager,
CORE Security. "This could be because they haven't completely fixed the hole that the attackers used to get in," he told MacNewsWorld. "However disclosing the technical details helps everyone else in the security community learn from their experience."

As for this becoming a teachable moment for the industry, Andrew Jaquith, CTO at
Perimeter E-Security, isn't exactly holding his breadth.